Debian Bug report logs - #626424
Please implement a method to save and restore netfilter rules at boot

Package: general; Maintainer for general is debian-devel@lists.debian.org;

Reported by: Costin <costinel@gmail.com>

Date: Wed, 11 May 2011 21:21:01 UTC

Severity: normal

Done: Holger Levsen <holger@layer-acht.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#626424; Package (none). (Wed, 11 May 2011 21:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Costin <costinel@gmail.com>:
New Bug report received and forwarded. Copy sent to unknown-package@qa.debian.org.

Your message had a Version: pseudo-header with an invalid package version:

(none)

please either use found or fixed to the control server with a correct version, or reply to this report indicating the correct version so the maintainer (or someone else) can correct it for you.

(Wed, 11 May 2011 21:21:05 GMT) Full text and rfc822 format available.


Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Costin <costinel@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Please implement a method to save and restore netfilter rules at boot
Date: Thu, 12 May 2011 00:15:07 +0300
Package: (none)
Version: (none)

There have been several requests against the iptables package to
include a init script, all rejected by the maintainer:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413550
(Can't set iptable rules before initiating network at boot)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=434107
(Iptables init script [attached])

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580943
(Should include a simple ifupdown script to configure iptables from
rules file or setup script)

I wish there was a simple apt-gettable way of getting my netfilter
rules saved and restored automatically.
For example, Redhat's iptables package is a tested and working model
that can be applied (I actually wget their src.rpm from which I
extract the init script and mkdir the /etc/sysconfig/iptables)

Thank you.

Costin Gusa
Independent IT Professional
http://ro.linkedin.com/in/costinel
+407.23.24.71.79
+40723.010.262




Bug reassigned from package '(none)' to 'general'. Request was from Martin Michlmayr <tbm@cyrius.com> to control@bugs.debian.org. (Thu, 12 May 2011 05:54:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#626424; Package general. (Thu, 12 May 2011 20:24:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andrei Popescu <andreimpopescu@gmail.com>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Thu, 12 May 2011 20:24:09 GMT) Full text and rfc822 format available.

Message #12 received at 626424@bugs.debian.org (full text, mbox):

From: Andrei Popescu <andreimpopescu@gmail.com>
To: costinel@gmail.com
Cc: 626424@bugs.debian.org
Subject: Re: Bug#626424: Please implement a method to save and restore netfilter rules at boot
Date: Thu, 12 May 2011 23:21:56 +0300
[Message part 1 (text/plain, inline)]
Hi Costin,

See if iptables-persistent does what you need.

Regards,
Andrei
-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#626424; Package general. (Fri, 13 May 2011 18:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Costin <costinel@gmail.com>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Fri, 13 May 2011 18:21:03 GMT) Full text and rfc822 format available.

Message #17 received at 626424@bugs.debian.org (full text, mbox):

From: Costin <costinel@gmail.com>
To: Andrei Popescu <andreimpopescu@gmail.com>
Cc: 626424@bugs.debian.org
Subject: Re: Bug#626424: Please implement a method to save and restore netfilter rules at boot
Date: Fri, 13 May 2011 21:17:55 +0300
On Thu, May 12, 2011 at 23:21, Andrei Popescu <andreimpopescu@gmail.com> wrote:
> Hi Costin,
>
> See if iptables-persistent does what you need.

Thank you for pointing that package, Andrei. Unfortunately it does not
have the ability to save the current filter rules set, as Redhat's
does.

/etc/init.d/iptables-persistent save
Usage: /etc/init.d/iptables-persistent
{start|stop|force-stop|restart|force-reload|status}




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#626424; Package general. (Fri, 13 May 2011 18:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Costin <costinel@gmail.com>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Fri, 13 May 2011 18:24:03 GMT) Full text and rfc822 format available.

Message #22 received at 626424@bugs.debian.org (full text, mbox):

From: Costin <costinel@gmail.com>
To: Andrei Popescu <andreimpopescu@gmail.com>
Cc: 626424@bugs.debian.org
Subject: Re: Bug#626424: Please implement a method to save and restore netfilter rules at boot
Date: Fri, 13 May 2011 21:20:54 +0300
On Fri, May 13, 2011 at 21:17, Costin <costinel@gmail.com> wrote:
> On Thu, May 12, 2011 at 23:21, Andrei Popescu <andreimpopescu@gmail.com> wrote:
>> Hi Costin,
>>
>> See if iptables-persistent does what you need.
>
> Thank you for pointing that package, Andrei. Unfortunately it does not
> have the ability to save the current filter rules set, as Redhat's
> does.
>
> /etc/init.d/iptables-persistent save
> Usage: /etc/init.d/iptables-persistent
> {start|stop|force-stop|restart|force-reload|status}
>

It is however a good starting point and I will file a bug against this
package for feature requests.




Message sent on to Costin <costinel@gmail.com>:
Bug#626424. (Fri, 13 May 2011 20:45:07 GMT) Full text and rfc822 format available.

Message #25 received at 626424-submitter@bugs.debian.org (full text, mbox):

From: Tollef Fog Heen <tfheen@err.no>
To: 626424-submitter@bugs.debian.org
Subject: Re: Bug#626424: Please implement a method to save and restore netfilter rules at boot
Date: Fri, 13 May 2011 22:43:29 +0200
]] Costin 

| On Thu, May 12, 2011 at 23:21, Andrei Popescu <andreimpopescu@gmail.com> wrote:
| > Hi Costin,
| >
| > See if iptables-persistent does what you need.
| 
| Thank you for pointing that package, Andrei. Unfortunately it does not
| have the ability to save the current filter rules set, as Redhat's
| does.

I believe doing:

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

should do this for you.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#626424; Package general. (Fri, 13 May 2011 21:39:51 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bernd Zeimetz <bernd@bzed.de>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Fri, 13 May 2011 21:39:56 GMT) Full text and rfc822 format available.

Message #30 received at 626424@bugs.debian.org (full text, mbox):

From: Bernd Zeimetz <bernd@bzed.de>
To: 626424@bugs.debian.org
Cc: costinel@gmail.com
Subject: Re: Bug#626424: Please implement a method to save and restore netfilter rules at boot
Date: Fri, 13 May 2011 23:31:25 +0200
Hi,

If I remember right such functions were removed from the iptables package for
various good reasons, for example to avoid that people lock themselves  out.

Implementing something similar is pertty easy, add something like

pre-up iptables-restore < /etc/network/iptables.save || true

to the network config in your /etc/network/interfaces and at the point when you
have a well working iptables config use
iptables-save > /etc/network/iptables.save

I'd never recommend to let something save iptables rules automatically. Do it
manually when you;re sure that you have a working configuration.

Or even better, use ferm instead.

-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#626424; Package general. (Tue, 17 May 2011 12:09:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Costin <costinel@gmail.com>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Tue, 17 May 2011 12:09:29 GMT) Full text and rfc822 format available.

Message #35 received at 626424@bugs.debian.org (full text, mbox):

From: Costin <costinel@gmail.com>
To: Bernd Zeimetz <bernd@bzed.de>
Cc: 626424@bugs.debian.org
Subject: Re: Bug#626424: Please implement a method to save and restore netfilter rules at boot
Date: Tue, 17 May 2011 15:04:55 +0300
On Sat, May 14, 2011 at 00:31, Bernd Zeimetz <bernd@bzed.de> wrote:
> Hi,
>
> If I remember right such functions were removed from the iptables package for
> various good reasons, for example to avoid that people lock themselves  out.
>
> Implementing something similar is pertty easy, add something like
>
> pre-up iptables-restore < /etc/network/iptables.save || true

I pretty much desire to avoid manually changing as less configuration
files as possible

>
> to the network config in your /etc/network/interfaces and at the point when you
> have a well working iptables config use
> iptables-save > /etc/network/iptables.save
>
> I'd never recommend to let something save iptables rules automatically. Do it
> manually when you;re sure that you have a working configuration.
>
I did not mention the word "automatically". I just want to have a
lazymans' way[1] to
- manually save rules
- automatically restore saved rules at boot
That's exactly what the iptables initscript does in redhat, for the
past 11 years (first appeared in "ipchains"
http://legacy.redhat.com/pub/redhat/linux/6.2/en/os/i386/RedHat/RPMS/ipchains-1.3.9-5.i386.rpm)

For that, Andrei's recommendation of iptables-persistent seems the
most tolerable answer, especially with Tollef's hint of saving - and I
hope the package maintainer will be kind enough to (accept a patch
for)/(develop) the initscript to parse a 'save' parameter)

> Or even better, use ferm instead.
Tried it but, uh, I'm enough confortable with iptables syntax

___
[1] type as less as possible, memorize as few as possible




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#626424; Package general. (Tue, 17 May 2011 15:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Samuelson <peter@p12n.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Tue, 17 May 2011 15:33:03 GMT) Full text and rfc822 format available.

Message #40 received at 626424@bugs.debian.org (full text, mbox):

From: Peter Samuelson <peter@p12n.org>
To: Costin <costinel@gmail.com>, 626424@bugs.debian.org
Subject: Re: Bug#626424: Please implement a method to save and restore netfilter rules at boot
Date: Tue, 17 May 2011 10:30:12 -0500
> On Sat, May 14, 2011 at 00:31, Bernd Zeimetz <bernd@bzed.de> wrote:
> > to the network config in your /etc/network/interfaces and at the point when you
> > have a well working iptables config use
> > iptables-save > /etc/network/iptables.save

I go further: I run the iptables-save > /etc/network/iptables.rules
only once, to create a skeleton, and after that I treat that file as
primary source.  I edit it as needed and "apply changes" with
iptables-restore, which atomically replaces the whole set.  This seems
more natural to me than treating the live system as primary source and
"editing" that with iptables.  (Text editors provide a much more
natural interface than iptables does, for operations like renaming
tables, reordering and grouping rules logically, and the like.  Plus, I
can add arbitrary comments.)

I wouldn't mind a 'pre-up iptables-restore /etc/network/iptables.rules'
in the debian interfaces file by default ... but I don't expect it will
ever happen (lots of people don't work the way I work), so I add it
myself.
-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/




Reply sent to Holger Levsen <holger@layer-acht.org>:
You have taken responsibility. (Mon, 28 May 2012 09:15:06 GMT) Full text and rfc822 format available.

Notification sent to Costin <costinel@gmail.com>:
Bug acknowledged by developer. (Mon, 28 May 2012 09:15:35 GMT) Full text and rfc822 format available.

Message #45 received at 626424-done@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: 626424-done@bugs.debian.org
Subject: Re: Bug#626424: Please implement a method to save and restore netfilter rules at boot
Date: Mon, 28 May 2012 11:10:45 +0200
Hi Costin,

On Freitag, 13. Mai 2011, Costin wrote:
> >> See if iptables-persistent does what you need.
> > Thank you for pointing that package, Andrei. Unfortunately [...]
> It is however a good starting point and I will file a bug against this
> package for feature requests.

thus closing this bug, also since it's not a general issue in Debian :)


cheers,
	Holger




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2012 07:36:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 04:23:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.